This article applies to customers who self-host a Netskope One DSPM instance within their own infrastructure.
Overview
These instructions are used to configure an AWS Terraform script that provisions all AWS resources necessary for running a Netskope One DSPM environment within your own AWS VPC.
Prerequisites
Before beginning, the Netskope One DSPM AMI needs to be shared with your organization. To request a trial AMI, please contact your CSM and supply:
- Your AWS account number;
- The AWS region where you will deploy the Netskope One DSPM instance (which we require in order to share the image)
In addition you should have the following pre-requisites validated prior to commencing the installation:
- Admin privileges on the AWS user to be used for this installation. Specifically check from IAM Console under user section that your user have got AdministratorAcess and IAM FullAccess permissions assigned.
- Note the Access key details for this AWS user from the Security Credentials tab of IAM Console. Create a fresh one if none exist. This would be needed during the step “Setting up the installation environment” to configure your AWS environment from the AWS CLI.
- Check from Route53 Dashboard that a hosted zone is available for the domain where the Netskope One DSPM instance would be installed. Take a note of the Hosted zone ID which will be required during the installation step “Running the Terraform Script”. Scroll to the left in case the hosted zone details are not visible fully.
-
If requisite details are not visible or Hosted zone is not configured please contact your IT department for creation of the requisite zone. Refer to the Architecture diagram below and the HTTPS section for more details. The data warehouse which you would like to be scanned with Netskope One DSPM post installation must also be available and accessible within the same domain.
- Check from ACM Console that a valid certificate exists for the domain on which you would be deploying the Netskope One DSPM instance. Note down the ARN by clicking the certificate ID. This would be needed during the installation step “Running the Terraform Script”
- Check that you have got a SSH key pair available from EC2 Console under the Network and Security section. If not create one and download and store the same in your system. This would be needed during the installation step “Running the Terraform Script”
- Confirm all the requisite software tools are installed and configured in your system. You would need to have the following toolset installed and configured to be available in the PATH while invoking them from a terminal prompt
In addition, ensure that you validate the latest version of these toolsets by running the following commands at your terminal prompt:
terraform --version (Ver 1.3.2 or higher)
aws --version (Ver 2.8.2 or higher)
git --version (Ver 2.38.x or higher)Architecture Details
HTTPS
Our Terraform module creates an HTTPS application load balancer (ALB) in AWS ELB to ensure that all communication with the Netskope One DSPM web application is encrypted with SSL/TLS.
The module expects that:
- The DNS zone into which the domain name will go is hosted by AWS’s Route 53.
- A certificate, valid for the domain name, is present in the AWS Certificate Manager (ACM).
During installation the module creates a DNS subdomain for the new Netskope One DSPM instance based on its public IP address. The module assigns this domain name to the ALB and configures the SSL certificate for the subdomain automatically.
Note: The security group of the Netskope One DSPM EC2 instance allows access on the HTTP port only from the created ALB, ensuring that connections to the Netskope One DSPM web application must go through ALB. This enforces HTTPs for all connections to Netskope One DSPM.
SSH
Our Terraform module creates a Netskope One DSPM EC2 instance with a public IP address, so that it can be reached via SSH (required for upgrades and debugging). Its security group only allows access on the SSH port from designated addresses, as described below. The module expects an SSH key pair.
Network
By default, the Terraform module creates a new VPC for the Netskope One DSPM software. Its subnets are public in order for Netskope One DSPM to connect to all of the customer’s data warehouses, within or outside of the VPC (The ALB is created in this VPC.)
The module allows for setting a CIDR for SSH ingress and a list of CIDRs for HTTPS ingress. These default to the whole Internet, but we advise setting them to more restricted values.
Setting up the AWS Configuration
- At the terminal prompt or command shell type aws configure and provide the inputs as below
AWS Access Key ID :
AWS Secret Access Key :
Default region name [us-west-2]:
Default output format [json]:Note : Your AWS CLI should be referenced in the PATH variable
- Copy the following URL in your browser window to download the requisite Terraform scripts
https://Netskope One DSPM-release.s3.us-west-2.amazonaws.com/Netskope One DSPM-terraform.zip- Extract the Netskope One DSPM Terraform scripts in your local system folder which will create a folder with two sub folders deploy and modules.
Running the Terraform Script
Navigate to one of the following directories created from the extraction above, depending on your desired outcome. For first time installations, we recommend navigating to the instance_and_roles folder.
| Deploy Instance & Create IAM Roles | Create IAM Roles Only | Deploy Instance Only |
|---|---|---|
| deploy/instance_and_roles | deploy/roles_only | deploy/instance_only |
From that directory, run the following command to initiate your Terraform environment successfully.
terraform initIf your initialization is successful you would see a message like “Terraform has been successfully initialized!”
To validate that you have all the pre-requisites configuration details available for the installation, run the following command
terraform planWhen prompted, enter the following variables:
| # | Variable | Details |
|---|---|---|
| 1 | acm_certificate_arn | ARN of the AWS Certificate Manager (ACM) certificate to use for SSL termination on the load balancer as noted in the Pre-requisites section above. The certificate must be valid for subdomains of the parent_domain_name variable (see below). |
| 2 | ami_id | AMI ID of the Netskope One DSPM image shared with your organization. This value can be found in your AMI Catalog when filtering by Owner = “Shared With Me”. |
| 3 | availability_zone | AWS Availability Zone (AZ) in which to launch the Netskope One DSPM instance. The data warehouse must also be present in this AZ. |
| 4 | hosted_zone_id | ID of the AWS Route 53 Hosted Zone into which the subdomain for the instance will be added. |
| 5 | key_name | Name of an existing SSH key pair for the EC2 instance. |
| 6 | parent_domain_name | Name of the DNS domain in which a subdomain for the instance will be created. This must be in an AWS-hosted zone. |
If any of these details are not available with you or you receive an error please revisit the Prerequisites section at the start of the document before continuing further.
To initiate the Terraform installation run the following command from the deploy/instance_and_roles folder.
terraform applyThe script will begin and perform the following actions:
- Prompt you to input - Provide the same set of 6 configuration details in sequence as listed in the table above.
- Check for errors - In the event an error occurs, follow the on-screen instructions for correcting & resuming.
- Outputs a resource modification list. To learn more about the resources created by the script, please expand the section below.
- Prompt you to confirm before executing. To confirm you must type yes.
When the script completes successfully and the AWS resources are provisioned correctly, the output will similar to the following example. Take a note of the https_fqdn value and type the same in the browser and you would be able to access the Netskope One DSPM signin page.
Apply complete! Resources: XX added, 0 changed, 0 destroyed.
Outputs:
https_fqdn = "Netskope One DSPM.Netskope One DSPM.in"
ids = "i-0d5f0f9e5b6587f38"
ssh_ip = [
"XXX.XXX.XXX.XXX",
]
vpc_id = "vpc-00d9c34cbfad6cc50"
Resources Created
In the console output, the following resources are listed (depending on which deploy/ sub-directory was chosen above:
| Resource Type | Resource Name |
|---|---|
| EC2 Instance (m5.2xlarge) | Netskope One DSPMInstance |
| IAM Role | Netskope One DSPMRole |
| IAM Role | Netskope One DSPMGlueServiceRole |
| IAM User | Netskope One DSPMUser |
Excerpt: Configure CloudFormation Stack: Roles
In addition, the following permissions are assigned to the new IAM Roles: Role N
In addition, the following permissions are assigned to the new IAM Roles:
Role Name: Netskope One DSPMRole
| Permission Name | Purpose |
|---|---|
| AWSGlueConsoleFullAccess | Provides full access to AWS Glue via the AWS Management Console |
| AmazonEC2ReadOnlyAccess | For getting regions and instance IDs |
| AmazonRDSReadOnlyAccess | For discovering RDS clusters |
| AmazonRedshiftReadOnlyAccess | Required for discovering RedShift clusters |
| AmazonAthenaFullAccess | Required for discovering Athena clusters and running scans |
| AmazonS3ReadOnlyAccess | Required for scanning S3 |
| AmazonDynamoDBReadOnlyAccess | Required for scanning DynamoDB |
Role Name: Netskope One DSPMGlueServiceRole
| Permission Name | Purpose |
|---|---|
| AmazonS3ReadOnlyAccess | Required for scanning S3 |
| AWSGlueServiceRole | Required to allow access to related services including EC2, S3, and Cloudwatch Logs |
Generate API Keys
Once your deployment is complete, you will need API keys for later use in connecting Netskope One DSPM to the current AWS Account. Generate a new pair using the following instructions:
Excerpt: AWS: Generate API Keys
Navigate to the IAM Management Console > Users section . The Users list is dis
- Navigate to the IAM Management Console > Users section.
- The Users list is displayed.
- In the User name column, click on the Netskope One DSPMUser hyperlink.
- The User Summary screen is displayed.
- Navigate to the Security credentials tab.
- Under the Access Key section, click the Create access key button.
- The Create access key modal is displayed.
- Download or copy the following values to your local machine for later use:
- Access key ID
- Secret access key
Next Steps
- Access your new Netskope One DSPM instance to validate its installation. To learn more, please visit our Accessing Netskope One DSPM on AWS article.
- Connect Netskope One DSPM to your AWS Accounts so Data Store discovery & scanning can begin. To learn more, please visit our Introduction to Onboarding AWS Accounts article.